最近对WEB安全比较感兴趣,以前也未学习过相关知识。毕竟我也是写过几个小项(玩)目(具 )的。现在在学习如何加强项(玩)目(具)的安全性。
什么是XSS?
跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets,
CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户的特殊目的,比如获取用户的Cookie,导航到恶意网站,携带木马等。
转自:http://www.cnblogs.com/Erik_Xu/p/5403773.html
如何XSS?
恶意攻击者可以在个人介绍里面插入恶意代码,那么其他用户访问他的个人信息时,就会执行恶意代码。
恶意攻击者可以发表一篇文章,取一个吸引眼球的标题,在内容里插入恶意代码,那么用户查看这篇文章时,就会执行恶意代码。
恶意攻击者在一些热门文章或帖子里的回复或留言中插入恶意代码,那么用户浏览到他的回复或留言时,就会执行恶意代码。
转自:http://www.cnblogs.com/Erik_Xu/p/5403773.html
如何防御XSS?
Specifying a charset. First of all, ensure that your web page specifies the UTF-8 charset in the headers or in the very beginning of the head element HTML encode all inputs to prevent a UTF-7 attack in Internet Explorer (and older versions of Firefox) despite other efforts to prevent XSS.
HTML escaping. Keep in mind that you need to HTML-escape all user input. This includes replacing < with <, > with >, & with & and ” with ". If you will ever use single-quoted HTML attributes, you need to replace ’ with ' as well. Typical server-side scripting languages such as PHP provide functions to do this, and I encourage you to expand on these by creating standard functions to insert HTML elements rather than inserting them in an ad-hoc manner.
Other types of escaping. You still, however, need to be careful to never insert user input as an unquoted attribute or an attribute interpreted as JavaScript (e.g. onload or onmouseover). Obviously, this also applies to script elements unless the input is properly JavaScript-escaped, which is different from HTML escaping. Another special type of escaping is URL escaping for URL parameters (do it before the HTML escaping to properly include a parameter in a link).
Validating URLs and CSS values. The same goes for URLs of links and images (without validating based on approved prefixes) because of the javascript: URL scheme, and also CSS stylesheet URLs and data within style attributes. (Internet Explorer allows inserting JavaScript expressions as CSS values, and Firefox is similarly problematic with its XBL support.) If you must include a CSS value from an untrusted source, you should safely and strictly validate or CSS escape it.
Not allowing user-provided HTML. Do not allow user-provided HTML if you have the option. That is an easy way to end up with an XSS problem, and so is writing a “parser” for your own markup language based on simple regex substitutions. I would only allow formatted text if the HTML output were generated in an obviously safe manner by a real parser that escapes any text from the input using the standard escaping functions and individually builds the HTML elements. If you have no choice over the matter, use a validator/sanitizer such as AntiSamy.
Preventing DOM-based XSS. Do not include user input in JavaScript-generated HTML code and insert it into the document. Instead, use the proper DOM methods to ensure that it is processed as text, not HTML.
转自:https://stackoverflow.com/questions/3129899/what-are-the-common-defenses-against-xss
简单点说:使用UTF-8、对HTML转义、不要把用户输入的当成javascript的一部分、对css图片等资源进行验证、不要在DOM内加入用户的输入。
最有效的方法就是:禁止用户输入。
我的项目
我的项目是一个在线商城,卖家可以发布商品信息。其中,商品标题(文本)和商品描述(富文本)卖家可以任意输入。这就给了恶意攻击者的可趁之机。
攻击者可以使用<a style="color:red">aaa</a>任意更改内容样式。
甚至可以使用<script>alert('hello,world');</script>插入恶意脚本。
我采用入库前将'<'、'>'、'/'转换成'<'、'>'、'/'。
效果:
那么如果不用<script>
而用<h1 onmouseover="javascript:alert('hello,world!');">haha</h1>呢?
效果是一样的:
如果是这样呢:
并没有用呢:
万事大吉了吗??
当然不是。
还有一种情况是:<h1 width=从数据库读取 ></h1>,
那么攻击者只要让'100px' onmouseover="javascript:alert('hello,world');"入库,就可以达成目的。因为我前面仅转换了<>/。
难道连()'';都要转换吗?
不。我又不把数据写到标签内!
Reference
[1]http://www.freebuf.com/articles/web/9977.html 作者:shineforyou
[2]http://www.cnblogs.com/Erik_Xu/p/5403773.html 作者:编程玩家
[3]https://stackoverflow.com/questions/3129899/what-are-the-common-defenses-against-xss
2663
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
